All checks were successful
continuous-integration/drone/push Build is passing
|
||
---|---|---|
group_vars | ||
gtimelog | ||
img | ||
.drone.yml | ||
.gitignore | ||
.gitmodules | ||
activities.yml | ||
ansible.cfg | ||
inventory.ini | ||
LICENSE | ||
playbook.yml | ||
README.md | ||
shell.nix |
Setup for Staff Laptops
This repository contains all instructions alongside an Ansible playbook to set up staff laptops.
Installation of the OS
Currently, we use Debian Bullseye. Installation media are available in the Berlin office or can be downloaded and flashed onto a USB drive.
Once the install is completed via the graphical installer (please encrypt your hard drive), reboot the computer and continue below. Make a physical note of both the user and the hard drive encryption passphrase that you can then hand to whoever will receive the computer so they memorise the passwords and subsequently destroy the physical note.
Package installation via Ansible
First, install Ansible and Git on the target machine by running:
sudo apt install -y ansible git
Next, clone this repository into your home directory by running:
git clone https://git.fsfe.org/fsfe-system-hackers/staff-laptop.git
Finally, execute the Ansible playbook on the target host by running:
cd staff-laptop # Navigate to repository
and then the following command:
ansible-playbook -K -v playbook.yml # When queried for 'BECOME password', enter your user password
This installs all packages commonly used by FSFE staff. This operation will take a while. When it has completed successfully, reboot the computer.
Employee configuration
Now that all the needed packages are installed, some further manual configuration is needed.
E-mails with Thunderbird
Our current email setup is somewhat involved. You receive emails on your
<username>@fsfe.org
address at the email address you specified at
https://my.fsfe.org as your for 'Primary email'. If you are a staffer at the
FSFE, we created an account for you on our IMAP server. The account is
associated with your FSFE account. Next, please open Thunderbird and use
the same credentials to setup your email account. See this article on setting up Thunderbird with your FSFE account. In addition this
article
might help you do that.
If FSFE did not provide you with an IMAP account at the FSFE servers
and you want to be able to send mails from your <username>@fsfe.org
email address from Thunderbird, you need to add a second identity.
For this follow the steps below:
- Right click on your account in the sidebar on the left like
username@domain.de
and choose Settings in the dropdown. - Under Outgoing Server (SMTP) you will find the menu for Manage Identities, click on it
- A new menu will open. Choose Add
- Fill out all the information required. In the field email address put in
your fsfe-mail (
<username>@fsfe.org
). Also the reply-mail should be (<username>@fsfe.org
). The outgoing-mailserver ismail.fsfe.org
and the port number587
. Connection security isSTARTTLS
. The username and password are the same that you use on https://my.fsfe.org.
Matrix chat with Element
Matrix is an important communication channel. Element (the client we suggest you
use to chat with the rest of us and everybody else who uses matrix) should
already be installed on your machine. Alternatively, you can always use the web
frontend provided at https://chat.fsfe.org. Again, you login with the same
credentials that work on https://my.fsfe.org. Make sure that the homeserver is
set to matrix.fsfe.org
. Otherwise this will not work.
Once you are logged in you can ping me (@tobiasd:fsfe.org
) or matthias
(@mk:fsfe.org
) so that one of us can add you to the Staff room or any other
room that is access-restricted.
Next, you should read the Element User Guide. You can skip the 'Onboarding' chapter as you have already successfully logged in. Please pay particular attention to the chapter 'Secure backup' and make sure you have a way to recover your encrypted chats should you lose your computer. Another thing that might help is setting up Element on another device and verifying this new device. Please refer to the aforementioned user guide before reaching out for somebody to help.
Password management
Your credentials are very important ant you should most certainly not have to manage all of them in your head.
Passbolt (organisation)
Passbolt is a Free Software password storage and management service. The FSFE's installation is on pass.fsfe.org and available to people who are concerned with sensible passwords used by multiple people in various teams. It is a web-based service, but uses GPG in the background that encrypts all passwords securely.
The basic idea is that every user creates a new GPG key upon registration, only used by Passbolt. The secret key will be stored within a browser add-on. Every password a user has access to will be encrypted with this key.
The deployment code is here.
Initial Setup
If you belong to the group of people who should have access to a selection of these passwords, you will be invited via email. Then follow these steps carefully, as the security of the passwords and your access depends on it:
- Click on the "get started" button in the e-mail you received from passbolt.
- You will probably be asked to install the Passbolt Extension in your browser. It is available for Firefox and Chromium. If you are done, reload the page.
- You will be asked to verify the server's data. Make sure that you see
https://pass.fsfe.org as domain and
4E477C5EA50C5CA2DF941805C438739EE8F30B36
as server key. Tick the confirmation box if applicable and click "Next" - You will now create your own dedicated GPG for Passbolt. You don't need to provide more data, just click "Next"
- Enter a secure passphrase for your new key. Please store it safely!
- In the next step, you have to download the generated key. This is only possible now, and nobody can recover it! Download it and store it securely!
- As an additional security layer, you can generate a token. Set a colour you like, and memorise it as well as its 3-character representation. It will be shown next to the login and other password fields. If it's different than what you set initially, you will know that the server is not legitimate and somebody is interfering. Please contact your technical contact at the FSFE immediately.
- Now you can log in with your passphrase. Next to the password field, you will see the security token.
Please note that your key is saved within your browser inside the extension, so it is bound to this device and browser. If you ever change browsers or want to set up another device, it is possible to import the key you've saved earlier.
If you're done, inform your happy technical contact at the FSFE, and ask to be added to the respective groups you should have access to.
Usage
To view a password:
- Visit the service website.
- Afterwards, you will see your email and be able to enter the password of your key (not you general FSFE password). Please check the colour/text token next to the password field.
- You will see all passwords you have access to. You can filter via the groups on the left, or search for a password.
- In your browser, you can also click on the Passbolt extension to search within it directly. This may a neat shortcut for you.
To add a new password:
- Click on the blue "Create" button
- Enter a meaningful name, URL, user & password, and a description if necessary
- Select this password and share it with the group it belongs to. Please set it as the owner ("is owner") to make the passwords not depend on individual users.
As of now, there are not classical folders but only a flat list of passwords, separated into groups. A folder feature is in passbolt's pipeline though.
KeepassXC (personal)
If you prefer an offline password manager, this playbook installs one called KeepassXC including its web extension for Firefox. The two links in the last sentence should provide all the information you need to setup and manage your offline password store using KeepassXC.
Nextcloud
There is some general documentation of our Nextcloud instance at https://share.fsfe.org in our wiki over here. The Nextcloud Sync Client should already be installed on your machine. You can use it to automatically sync important folders from Nextcloud with your local file system. Please consult the sync client's documentation should anything be unclear.
Once you've setup two-factor authentication using TOTP, ping your technical
contact at the FSFE should you need access to certain folders like Staff
or
Team
.
Synchronize the Calendar between Nextcloud and Thunderbird
This assumes, that you have a recent version of Thunderbird (version 102 or later e.g. from Debian 11).
- With two-factor authentication activated in Nextcloud, all apps that want to access your Nextcloud account will need an app specific password. So you will have to set one up for the Thunderbird calendar in the security section of your users settings. There you enter an application name (e.g. Thunderbird) to identify the app accessing your account and copy the generated password for later usage. The password will only be shown once, so be sure that you have copied it, e.g. into your password manager.
- Next go to the calendar app in Nextcloud. At the right hand side of your listed calendars you see the three dots button. In the menu that shows up when clicking that button, you find an entry Copy private link.
- Now open the calendar overview in your Thunderbird. On the left side you find a + button in the calendar listing. Hit it. In the upcoming dialog select On the network and click the Next button. On the next page of the dialog you need to enter your FSFE user name, the private link of the calendar and the application password you created for Thunderbird. If you want to have the calendar available off-line, you can tick the checkbox Offline Support here. Finally hit the Subscribe button and Thunderbird will try to add the calendar.
- Repeat step -3- with all calendars you want to synchronize between Thunderbird and the Nextcloud.
Synchronize the Contacts between Nextcloud and Thunderbird
To synchronize your contacts from the Nextcloud with your Thunderbird, you have to install the CardBook addon in your Thunderbird.
Afterwards you can the remote link for your address book in the Contacts app of your Nextcloud at the bottom of the left aside controls beneath the Contacts settings and the three dots next to "Contacts". Copy the link so you can add it to the CardBook addon as described on the above link. For this you'll also need the special password / token generated for the synchronization of the calendar.
Backups with Vorta
There is extensive documentation of our backup process over
here. The backup client called
'Vorta' should already be installed on your machine. There are also videos
documenting its use on our Nextcloud in Staff
> Tech Sessions
> Session 3 - Backups
gtimelog task file and overtime calculator
The basic task file for the gtimelog
tool that is used to record working time has been installed.
In addition the overtime-calc script by Max Mehl has been installed.
Please ensure that the file overtime-calc/config.cfg
in your home directory contains your correct weekly working hours.
A background task is configured to check the log for common errors to facilitate administrative work with the log files. Users get notified about occuring errors with desktop-notifications.
Remote desktop with rustdesk
To use rustdesk with the FSFE identity server for it, the network settings have to be edited. See our rustdesk docs.